CVS commit: xsrc
Module Name:xsrc Committed By: spz Date: Tue May 13 15:17:33 UTC 2014 Modified Files: xsrc/external/mit/libXfont/dist/src/fc: fsconvert.c fserve.c xsrc/external/mit/libXfont/dist/src/fontfile: dirfile.c xsrc/xfree/xc/lib/font/fc: fsconvert.c fserve.c xsrc/xfree/xc/lib/font/fontfile: dirfile.c Log Message: Fix multiple vulnerabilities in libXfont: - CVE-2014-0209: integer overflow of allocations in font metadata file parsing When a local user who is already authenticated to the X server adds a new directory to the font path, the X server calls libXfont to open the fonts.dir and fonts.alias files in that directory and add entries to the font tables for every line in it. A large file (~2-4 gb) could cause the allocations to overflow, and allow the remaining data read from the file to overwrite other memory in the heap. Affected functions: FontFileAddEntry(), lexAlias() - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data. Affected functions: _fs_recv_conn_setup(), fs_read_open_font(), fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(), fs_read_list(), fs_read_list_info() - CVE-2014-0211: integer overflows calculating memory needs for xfs replies These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer. Affected functions: fs_get_reply(), fs_alloc_glyphs(), fs_read_extent_info() See also: http://lists.x.org/archives/xorg-announce/2014-May/002431.html To generate a diff of this commit: cvs rdiff -u -r1.1.1.3 -r1.2 \ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \ xsrc/external/mit/libXfont/dist/src/fc/fserve.c cvs rdiff -u -r1.1.1.3 -r1.2 \ xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c cvs rdiff -u -r1.4 -r1.5 xsrc/xfree/xc/lib/font/fc/fsconvert.c \ xsrc/xfree/xc/lib/font/fc/fserve.c cvs rdiff -u -r1.4 -r1.5 xsrc/xfree/xc/lib/font/fontfile/dirfile.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.3 xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.2 --- xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.3 Fri May 31 01:08:57 2013 +++ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c Tue May 13 15:17:33 2014 @@ -118,6 +118,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp for (i = 0; i nprops; i++, dprop++, is_str++) { memcpy(local_off, off_adr, SIZEOF(fsPropOffset)); + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-name = MakeAtom(pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -125,10 +129,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp dprop-value = local_off.value.position; } else { *is_str = TRUE; + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-value = (INT32) MakeAtom(pdc[local_off.value.position], local_off.value.length, 1); if (dprop-value == BAD_RESOURCE) { + bail: free (pfi-props); pfi-nprops = 0; pfi-props = 0; @@ -712,7 +721,12 @@ fs_alloc_glyphs (FontPtr pFont, int size FSGlyphPtr glyphs; FSFontPtr fsfont = (FSFontPtr) pFont-fontPrivate; -glyphs = malloc (sizeof (FSGlyphRec) + size); +if (size (INT_MAX - sizeof (FSGlyphRec))) + glyphs = malloc (sizeof (FSGlyphRec) + size); +else +glyphs = NULL; +if (glyphs == NULL) +return NULL; glyphs-next = fsfont-glyphs; fsfont-glyphs = glyphs; return (pointer) (glyphs + 1); Index: xsrc/external/mit/libXfont/dist/src/fc/fserve.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.3 xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.2 --- xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.3 Fri May 31 01:08:57 2013 +++ xsrc/external/mit/libXfont/dist/src/fc/fserve.c Tue May 13 15:17:33 2014 @@ -70,6 +70,7 @@ in this Software without prior written a #include fservestr.h #include X11/fonts/fontutil.h #include errno.h +#includelimits.h #include time.h #define Time_t time_t @@ -91,6 +92,15 @@ in this Software without prior
CVS commit: src/sys/fs/cd9660
Module Name:src Committed By: martin Date: Tue May 13 17:05:26 UTC 2014 Modified Files: src/sys/fs/cd9660: cd9660_vfsops.c Log Message: PR kern/48799: make filehandles properly use 64bit inodes on CD9660 file systems. Patch from Thomas Schmitt, with slight modifications. To generate a diff of this commit: cvs rdiff -u -r1.84 -r1.85 src/sys/fs/cd9660/cd9660_vfsops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/fs/cd9660/cd9660_vfsops.c diff -u src/sys/fs/cd9660/cd9660_vfsops.c:1.84 src/sys/fs/cd9660/cd9660_vfsops.c:1.85 --- src/sys/fs/cd9660/cd9660_vfsops.c:1.84 Wed Apr 16 18:55:18 2014 +++ src/sys/fs/cd9660/cd9660_vfsops.c Tue May 13 17:05:26 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: cd9660_vfsops.c,v 1.84 2014/04/16 18:55:18 maxv Exp $ */ +/* $NetBSD: cd9660_vfsops.c,v 1.85 2014/05/13 17:05:26 martin Exp $ */ /*- * Copyright (c) 1994 @@ -37,7 +37,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: cd9660_vfsops.c,v 1.84 2014/04/16 18:55:18 maxv Exp $); +__KERNEL_RCSID(0, $NetBSD: cd9660_vfsops.c,v 1.85 2014/05/13 17:05:26 martin Exp $); #if defined(_KERNEL_OPT) #include opt_compat_netbsd.h @@ -641,8 +641,10 @@ cd9660_sync(struct mount *mp, int waitfo struct ifid { ushort ifid_len; ushort ifid_pad; - int ifid_ino; - long ifid_start; + ino_t ifid_ino; +#ifdef ISOFS_DBG + u_long ifid_start; +#endif }; /* ARGSUSED */ @@ -659,7 +661,7 @@ cd9660_fhtovp(struct mount *mp, struct f memcpy(ifh, fhp, sizeof(ifh)); #ifdef ISOFS_DBG - printf(fhtovp: ino %d, start %ld\n, + printf(fhtovp: ino %PRIu64, start %lu\n, ifh.ifid_ino, ifh.ifid_start); #endif @@ -914,11 +916,13 @@ cd9660_vptofh(struct vnode *vp, struct f memset(ifh, 0, sizeof(ifh)); ifh.ifid_len = sizeof(struct ifid); ifh.ifid_ino = ip-i_number; +#ifdef ISOFS_DBG ifh.ifid_start = ip-iso_start; +#endif memcpy(fhp, ifh, sizeof(ifh)); #ifdef ISOFS_DBG - printf(vptofh: ino %d, start %ld\n, + printf(vptofh: ino %PRIu64, start %lu\n, ifh.ifid_ino,ifh.ifid_start); #endif return 0;
CVS commit: src/doc
Module Name:src Committed By: christos Date: Tue May 13 16:35:02 UTC 2014 Modified Files: src/doc: CHANGES Log Message: mention tzcode To generate a diff of this commit: cvs rdiff -u -r1.1923 -r1.1924 src/doc/CHANGES Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES diff -u src/doc/CHANGES:1.1923 src/doc/CHANGES:1.1924 --- src/doc/CHANGES:1.1923 Sun Apr 27 17:45:53 2014 +++ src/doc/CHANGES Tue May 13 12:35:02 2014 @@ -1,4 +1,4 @@ -# LIST OF CHANGES FROM LAST RELEASE: $Revision: 1.1923 $ +# LIST OF CHANGES FROM LAST RELEASE: $Revision: 1.1924 $ # # # [Note: This file does not mention every change made to the NetBSD source tree. @@ -415,3 +415,4 @@ Changes from NetBSD 6.0 to NetBSD 7.0: [kardel 20140422] kerberos(8): Update to latest Heimdal-1-5-branch. [pettai 20140424] + libc: Update to tzcode2014c. [christos 20140513]
CVS commit: src/doc
Module Name:src Committed By: christos Date: Tue May 13 16:34:36 UTC 2014 Modified Files: src/doc: 3RDPARTY Log Message: update tzcode. To generate a diff of this commit: cvs rdiff -u -r1.1109 -r1.1110 src/doc/3RDPARTY Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/3RDPARTY diff -u src/doc/3RDPARTY:1.1109 src/doc/3RDPARTY:1.1110 --- src/doc/3RDPARTY:1.1109 Tue May 6 16:39:37 2014 +++ src/doc/3RDPARTY Tue May 13 12:34:36 2014 @@ -1,4 +1,4 @@ -# $NetBSD: 3RDPARTY,v 1.1109 2014/05/06 20:39:37 wiz Exp $ +# $NetBSD: 3RDPARTY,v 1.1110 2014/05/13 16:34:36 christos Exp $ # # This file contains a list of the software that has been integrated into # NetBSD where we are not the primary maintainer. @@ -1271,8 +1271,8 @@ Notes: Added changes from a5 - a12 manually. Package: tz -Version: tzcode2013i / tzdata2013i -Current Vers: tzcode2013i / tzdata2013i +Version: tzcode2014c / tzdata2013i +Current Vers: tzcode2014c / tzdata2014c Maintainer: Paul Eggert egg...@cs.ucla.edu Archive Site: ftp://ftp.iana.org/tz/releases/ Archive Site: ftp://munnari.oz.au/pub/oldtz/
CVS commit: src/sys/dev/pci
Module Name:src Committed By: msaitoh Date: Tue May 13 18:07:24 UTC 2014 Modified Files: src/sys/dev/pci: pci_subr.c Log Message: Print 32bit I/O region flag and 64bit memory region flag. To generate a diff of this commit: cvs rdiff -u -r1.110 -r1.111 src/sys/dev/pci/pci_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/pci_subr.c diff -u src/sys/dev/pci/pci_subr.c:1.110 src/sys/dev/pci/pci_subr.c:1.111 --- src/sys/dev/pci/pci_subr.c:1.110 Mon May 12 23:01:40 2014 +++ src/sys/dev/pci/pci_subr.c Tue May 13 18:07:24 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: pci_subr.c,v 1.110 2014/05/12 23:01:40 msaitoh Exp $ */ +/* $NetBSD: pci_subr.c,v 1.111 2014/05/13 18:07:24 msaitoh Exp $ */ /* * Copyright (c) 1997 Zubin D. Dittia. All rights reserved. @@ -40,7 +40,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: pci_subr.c,v 1.110 2014/05/12 23:01:40 msaitoh Exp $); +__KERNEL_RCSID(0, $NetBSD: pci_subr.c,v 1.111 2014/05/13 18:07:24 msaitoh Exp $); #ifdef _KERNEL_OPT #include opt_pci.h @@ -1696,6 +1696,7 @@ pci_conf_print_type1( use_upper = 1; else use_upper = 0; + onoff(32bit I/O, use_upper); base = (rval PCI_BRIDGE_STATIO_IOBASE_MASK) 8; limit = ((rval PCI_BRIDGE_STATIO_IOLIMIT_SHIFT) PCI_BRIDGE_STATIO_IOLIMIT_MASK) 8; @@ -1749,6 +1750,7 @@ pci_conf_print_type1( use_upper = 1; else use_upper = 0; + onoff(64bit memory address, use_upper); pbase = ((rval PCI_BRIDGE_PREFETCHMEM_BASE_SHIFT) PCI_BRIDGE_PREFETCHMEM_BASE_MASK) 20; plimit = (((rval PCI_BRIDGE_PREFETCHMEM_LIMIT_SHIFT)
CVS commit: src/lib/libc/time
Module Name:src Committed By: christos Date: Tue May 13 16:33:56 UTC 2014 Modified Files: src/lib/libc/time: Makefile NEWS checktab.awk localtime.c private.h tz-link.htm tzfile.h tzset.3 zdump.c zic.c Log Message: Welcome to 2014c Changes affecting code zic now generates transitions for minimum time values, eliminating guesswork when handling low-valued time stamps. (Thanks to Arthur David Olson.) Port to Cygwin sans glibc. (Thanks to Arthur David Olson.) Changes affecting commentary and documentation Remove now-confusing comment about Jordan. (Thanks to Oleksii Nochovnyi.) To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/lib/libc/time/Makefile cvs rdiff -u -r1.1 -r1.2 src/lib/libc/time/NEWS cvs rdiff -u -r1.6 -r1.7 src/lib/libc/time/checktab.awk cvs rdiff -u -r1.81 -r1.82 src/lib/libc/time/localtime.c cvs rdiff -u -r1.32 -r1.33 src/lib/libc/time/private.h \ src/lib/libc/time/zdump.c cvs rdiff -u -r1.13 -r1.14 src/lib/libc/time/tz-link.htm \ src/lib/libc/time/tzfile.h cvs rdiff -u -r1.27 -r1.28 src/lib/libc/time/tzset.3 cvs rdiff -u -r1.44 -r1.45 src/lib/libc/time/zic.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/time/Makefile diff -u src/lib/libc/time/Makefile:1.17 src/lib/libc/time/Makefile:1.18 --- src/lib/libc/time/Makefile:1.17 Mon Jan 27 03:18:08 2014 +++ src/lib/libc/time/Makefile Tue May 13 12:33:56 2014 @@ -6,7 +6,7 @@ PACKAGE= tzcode # Version numbers of the code and data distributions. -VERSION= 2013i +VERSION= 2014c # Email address for bug reports. BUGEMAIL= t...@iana.org @@ -137,7 +137,7 @@ GCC_DEBUG_FLAGS = -Dlint -g3 -O3 -fno-co -Wbad-function-cast -Wcast-align -Wcast-qual \ -Wformat=2 -Winit-self \ -Wmissing-declarations -Wmissing-noreturn -Wmissing-prototypes \ - -Wnested-externs \ + -Wnested-externs -Wno-address -Wno-cast-qual \ -Wno-format-nonliteral -Wno-sign-compare -Wno-sign-conversion \ -Wno-type-limits \ -Wno-unused-parameter -Woverlength-strings -Wpointer-arith \ @@ -247,14 +247,13 @@ AWK= awk # is typically nicer if it works. KSHELL= /bin/bash -# The path where SGML DTDs are kept. -# The default is appropriate for Ubuntu 12.10. +# The path where SGML DTDs are kept and the catalog file(s) to use when +# validating. The default is appropriate for Ubuntu 13.10. SGML_TOPDIR= /usr SGML_DTDDIR= $(SGML_TOPDIR)/share/xml/w3c-sgml-lib/schema/dtd SGML_SEARCH_PATH= $(SGML_DTDDIR)/REC-html401-19991224 - -# The catalog file(s) to use when validating. -SGML_CATALOG_FILES= HTML4.cat +SGML_CATALOG_FILES= \ + $(SGML_TOPDIR)/share/doc/w3-recs/html/www.w3.org/TR/1999/REC-html401-19991224/HTML4.cat # The name, arguments and environment of a program to validate your web pages. # See http://www.jclark.com/sp/ for a validator, and @@ -445,7 +444,7 @@ check_web: $(WEB_PAGES) clean_misc: rm -f core *.o *.out \ - date tzselect version.h zdump zic yearistype + date tzselect version.h zdump zic yearistype libtz.a clean: clean_misc rm -fr tzpublic Index: src/lib/libc/time/NEWS diff -u src/lib/libc/time/NEWS:1.1 src/lib/libc/time/NEWS:1.2 --- src/lib/libc/time/NEWS:1.1 Thu Dec 26 13:34:28 2013 +++ src/lib/libc/time/NEWS Tue May 13 12:33:56 2014 @@ -1,5 +1,138 @@ News for the tz database + +Release 2014c - 2014-05-13 07:44:13 -0700 + + Changes affecting near-future time stamps + +Egypt observes DST starting May 15. (Thanks to Ahmad El-Dardiry.) +Details have not been announced, except that DST will not be observed +during Ramadan. Guess that DST will stop during the same Ramadan dates as +Morocco, and that Egypt's future spring and fall transitions will be the +same as 2010 when it last observed DST, namely April's last Friday at +00:00 to September's last Thursday at 23:00 standard time. Also, guess +that Ramadan transitions will be at 00:00 standard time. + + Changes affecting code + +zic now generates transitions for minimum time values, eliminating guesswork +when handling low-valued time stamps. (Thanks to Arthur David Olson.) + +Port to Cygwin sans glibc. (Thanks to Arthur David Olson.) + + Changes affecting commentary and documentation + +Remove now-confusing comment about Jordan. (Thanks to Oleksii Nochovnyi.) + + +Release 2014b - 2014-03-24 21:28:50 -0700 + + Changes affecting near-future time stamps + +Crimea switches to Moscow time on 2014-03-30 at 02:00 local time. +(Thanks to Alexander Krivenyshev.) Move its zone.tab entry from UA to RU. + +New entry for Troll station, Antarctica. (Thanks to Paul-Inge Flakstad and +Bengt-Inge Larsson.) This is currently an approximation; a better version +will require the zic and localtime fixes mentioned below, and the plan is +to wait for a while until at least the zic fixes propagate. + + Changes affecting code +
CVS commit: src/external/lgpl3/gmp/lib/libgmp/arch
Module Name:src Committed By: macallan Date: Tue May 13 18:46:48 UTC 2014 Modified Files: src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb: Makefile.inc config.h src/external/lgpl3/gmp/lib/libgmp/arch/mips64el: Makefile.inc config.h Log Message: on mips64* use generic C functions instead of assembly routines when building n32 binaries. Should work around PR48696 ok mrg@ To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 \ src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/Makefile.inc cvs rdiff -u -r1.4 -r1.5 \ src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/config.h cvs rdiff -u -r1.5 -r1.6 \ src/external/lgpl3/gmp/lib/libgmp/arch/mips64el/Makefile.inc cvs rdiff -u -r1.4 -r1.5 \ src/external/lgpl3/gmp/lib/libgmp/arch/mips64el/config.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/Makefile.inc diff -u src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/Makefile.inc:1.5 src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/Makefile.inc:1.6 --- src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/Makefile.inc:1.5 Wed Dec 4 00:49:18 2013 +++ src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/Makefile.inc Tue May 13 18:46:48 2014 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.inc,v 1.5 2013/12/04 00:49:18 mrg Exp $ +# $NetBSD: Makefile.inc,v 1.6 2014/05/13 18:46:48 macallan Exp $ SRCS+= \ random.c \ @@ -174,6 +174,24 @@ C_SRCS_LIST= \ sbpi1_div_r_sec.c mpn/generic/sbpi1_div_sec.c \ andn_n.c mpn/generic/logops_n.c \ +.if (defined(CPUFLAGS) !empty(CPUFLAGS:M-mabi=64)) +GMP_LIMB_BITS=64 +C_SRCS_LIST= \ + xor_n.c mpn/generic/logops_n.c \ + sb_div_r_sec.c mpn/generic/sb_div_sec.c \ + nand_n.c mpn/generic/logops_n.c \ + nior_n.c mpn/generic/logops_n.c \ + hamdist.c mpn/generic/popham.c \ + popcount.c mpn/generic/popham.c \ + sbpi1_div_qr_sec.c mpn/generic/sbpi1_div_sec.c \ + and_n.c mpn/generic/logops_n.c \ + ior_n.c mpn/generic/logops_n.c \ + sb_div_qr_sec.c mpn/generic/sb_div_sec.c \ + xnor_n.c mpn/generic/logops_n.c \ + iorn_n.c mpn/generic/logops_n.c \ + sbpi1_div_r_sec.c mpn/generic/sbpi1_div_sec.c \ + andn_n.c mpn/generic/logops_n.c \ + ASM_SRCS_LIST= \ sqr_diagonal.asm mpn/mips64/sqr_diagonal.asm \ add_n.asm mpn/mips64/add_n.asm \ @@ -185,10 +203,35 @@ ASM_SRCS_LIST= \ addmul_1.asm mpn/mips64/addmul_1.asm \ sub_n.asm mpn/mips64/sub_n.asm \ -.if (defined(CPUFLAGS) !empty(CPUFLAGS:M-mabi=64)) -GMP_LIMB_BITS=64 .else GMP_LIMB_BITS=32 +C_SRCS_LIST= \ + xor_n.c mpn/generic/logops_n.c \ + sb_div_r_sec.c mpn/generic/sb_div_sec.c \ + nand_n.c mpn/generic/logops_n.c \ + nior_n.c mpn/generic/logops_n.c \ + hamdist.c mpn/generic/popham.c \ + popcount.c mpn/generic/popham.c \ + sbpi1_div_qr_sec.c mpn/generic/sbpi1_div_sec.c \ + and_n.c mpn/generic/logops_n.c \ + ior_n.c mpn/generic/logops_n.c \ + sb_div_qr_sec.c mpn/generic/sb_div_sec.c \ + xnor_n.c mpn/generic/logops_n.c \ + iorn_n.c mpn/generic/logops_n.c \ + sbpi1_div_r_sec.c mpn/generic/sbpi1_div_sec.c \ + andn_n.c mpn/generic/logops_n.c \ + addn_n.c mpn/generic/add_n.c \ + submul_1.c mpn/generic/submul_1.c \ + lshift.c mpn/generic/lshift.c \ + mul_1.c mpn/generic/mul_1.c \ + rshift.c mpn/generic/rshift.c \ + sub_n.c mpn/generic/sub_n.c \ + addmul_1.c mpn/generic/addmul_1.c \ + +ASM_SRCS_LIST= + .endif COPTS+= -Wno-error + +COPTS+= -Wno-error Index: src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/config.h diff -u src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/config.h:1.4 src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/config.h:1.5 --- src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/config.h:1.4 Fri Nov 29 13:26:16 2013 +++ src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/config.h Tue May 13 18:46:48 2014 @@ -221,9 +221,13 @@ along with the GNU MP Library. If not, /* Define to 1 each of the following for which a native (ie. CPU specific) implementation of the corresponding routine exists. */ +#ifdef _LP64 #define HAVE_NATIVE_mpn_add_n 1 +#endif /* #undef HAVE_NATIVE_mpn_add_n_sub_n */ +#ifdef _LP64 #define HAVE_NATIVE_mpn_add_nc 1 +#endif /* #undef HAVE_NATIVE_mpn_addaddmul_1msb0 */ /* #undef HAVE_NATIVE_mpn_addcnd_n */ /* #undef HAVE_NATIVE_mpn_addlsh1_n */ @@ -272,7 +276,9 @@ along with the GNU MP Library. If not, /* #undef HAVE_NATIVE_mpn_invert_limb */ /* #undef HAVE_NATIVE_mpn_ior_n */ /* #undef HAVE_NATIVE_mpn_iorn_n */ +#ifdef _LP64 #define HAVE_NATIVE_mpn_lshift 1 +#endif /* #undef HAVE_NATIVE_mpn_lshiftc */ /* #undef HAVE_NATIVE_mpn_lshsub_n */ /* #undef HAVE_NATIVE_mpn_mod_1 */ @@ -283,7 +289,9 @@ along with the GNU MP Library. If not, /* #undef HAVE_NATIVE_mpn_mod_34lsub1 */ /* #undef HAVE_NATIVE_mpn_modexact_1_odd */ /* #undef HAVE_NATIVE_mpn_modexact_1c_odd */ +#ifdef _LP64 #define HAVE_NATIVE_mpn_mul_1 1 +#endif /* #undef HAVE_NATIVE_mpn_mul_1c */ /* #undef
CVS commit: src/doc
Module Name:src Committed By: macallan Date: Tue May 13 18:55:07 UTC 2014 Modified Files: src/doc: HACKS Log Message: mention workaround for PR48696 To generate a diff of this commit: cvs rdiff -u -r1.148 -r1.149 src/doc/HACKS Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/HACKS diff -u src/doc/HACKS:1.148 src/doc/HACKS:1.149 --- src/doc/HACKS:1.148 Mon Apr 7 21:20:17 2014 +++ src/doc/HACKS Tue May 13 18:55:07 2014 @@ -1,4 +1,4 @@ -# $NetBSD: HACKS,v 1.148 2014/04/07 21:20:17 christos Exp $ +# $NetBSD: HACKS,v 1.149 2014/05/13 18:55:07 macallan Exp $ # # This file is intended to document workarounds for currently unsolved # (mostly) compiler bugs. @@ -961,3 +961,15 @@ port hp700 descr workaround for unanalysed codegen bug affecting md5c.c. kcah + +port mips64* +hack compiler crashes on mips64* with optimization enabled +cdate Tue May 13 18:46:48 UTC 2014 +who macallan +file src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/Makefile.inc: 1.6 + src/external/lgpl3/gmp/lib/libgmp/arch/mips64eb/config.h: 1.5 + src/external/lgpl3/gmp/lib/libgmp/arch/mips64el/Makefile.inc: 1.6 + src/external/lgpl3/gmp/lib/libgmp/arch/mips64el/config.h: 1.5 +descr workaround for n32 gcc doing unaligned 64bit accesses when optimizing +pr 48696 +kcah
CVS commit: src/sys/arch/sparc64/sparc64
Module Name:src Committed By: palle Date: Tue May 13 19:14:05 UTC 2014 Modified Files: src/sys/arch/sparc64/sparc64: machdep.c Log Message: get_vis() now handles sun4v (VIS 1 and VIS 2) To generate a diff of this commit: cvs rdiff -u -r1.275 -r1.276 src/sys/arch/sparc64/sparc64/machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc64/sparc64/machdep.c diff -u src/sys/arch/sparc64/sparc64/machdep.c:1.275 src/sys/arch/sparc64/sparc64/machdep.c:1.276 --- src/sys/arch/sparc64/sparc64/machdep.c:1.275 Sat Jan 25 19:42:25 2014 +++ src/sys/arch/sparc64/sparc64/machdep.c Tue May 13 19:14:05 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.275 2014/01/25 19:42:25 christos Exp $ */ +/* $NetBSD: machdep.c,v 1.276 2014/05/13 19:14:05 palle Exp $ */ /*- * Copyright (c) 1996, 1997, 1998 The NetBSD Foundation, Inc. @@ -71,7 +71,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: machdep.c,v 1.275 2014/01/25 19:42:25 christos Exp $); +__KERNEL_RCSID(0, $NetBSD: machdep.c,v 1.276 2014/05/13 19:14:05 palle Exp $); #include opt_ddb.h #include opt_multiprocessor.h @@ -401,19 +401,29 @@ get_vis(void) { int vis = 0; - if (GETVER_CPU_MANUF() == MANUF_FUJITSU) { - /* as far as I can tell SPARC64-III and up have VIS 1.0 */ - if (GETVER_CPU_IMPL() = IMPL_SPARC64_III) { - vis = 1; - } - /* XXX - which, if any, SPARC64 support VIS 2.0? */ - } else { - /* this better be Sun */ - vis = 1; /* all UltraSPARCs support at least VIS 1.0 */ - if (CPU_IS_USIII_UP()) { - vis = 2; + if ( CPU_ISSUN4V ) { + /* + * UA2005 and UA2007 supports VIS 1 and VIS 2. + * Oracle SPARC Architecture 2011 supports VIS 3. + * + * XXX Settle with VIS 2 until we can determite the + * actual sun4v implementation. + */ + vis = 2; + } else { + if (GETVER_CPU_MANUF() == MANUF_FUJITSU) { + /* as far as I can tell SPARC64-III and up have VIS 1.0 */ + if (GETVER_CPU_IMPL() = IMPL_SPARC64_III) { +vis = 1; + } + /* XXX - which, if any, SPARC64 support VIS 2.0? */ + } else { + /* this better be Sun */ + vis = 1; /* all UltraSPARCs support at least VIS 1.0 */ + if (CPU_IS_USIII_UP()) { +vis = 2; + } } - /* UltraSPARC T4 supports VIS 3.0 */ } return vis; } @@ -448,10 +458,11 @@ SYSCTL_SETUP(sysctl_machdep_setup, sysc NULL, 9, NULL, 0, CTL_MACHDEP, CPU_ARCH, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE, - CTLTYPE_INT, vis, NULL, - NULL, get_vis(), NULL, 0, - CTL_MACHDEP, CPU_VIS, CTL_EOL); + CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE, + CTLTYPE_INT, vis, + Supported version of VIS instruction set, + NULL, get_vis(), NULL, 0, + CTL_MACHDEP, CPU_VIS, CTL_EOL); } void *
CVS commit: src/sys
Module Name:src Committed By: bouyer Date: Tue May 13 19:36:16 UTC 2014 Modified Files: src/sys/external/bsd/ipf/netinet: ip_fil_netbsd.c src/sys/net: if_ethersubr.c if_loop.c if_vlan.c src/sys/netinet: ip_carp.c Log Message: Make sure *(if_output)() is called with KERNEL_LOCK held. Add some KASSERT for this. See http://mail-index.netbsd.org/tech-net/2014/04/09/msg004511.html for details. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c cvs rdiff -u -r1.196 -r1.197 src/sys/net/if_ethersubr.c cvs rdiff -u -r1.76 -r1.77 src/sys/net/if_loop.c cvs rdiff -u -r1.69 -r1.70 src/sys/net/if_vlan.c cvs rdiff -u -r1.53 -r1.54 src/sys/netinet/ip_carp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c diff -u src/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c:1.8 src/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c:1.9 --- src/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c:1.8 Sun Mar 16 05:20:30 2014 +++ src/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c Tue May 13 19:36:16 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_fil_netbsd.c,v 1.8 2014/03/16 05:20:30 dholland Exp $ */ +/* $NetBSD: ip_fil_netbsd.c,v 1.9 2014/05/13 19:36:16 bouyer Exp $ */ /* * Copyright (C) 2012 by Darren Reed. @@ -8,7 +8,7 @@ #if !defined(lint) #if defined(__NetBSD__) #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: ip_fil_netbsd.c,v 1.8 2014/03/16 05:20:30 dholland Exp $); +__KERNEL_RCSID(0, $NetBSD: ip_fil_netbsd.c,v 1.9 2014/05/13 19:36:16 bouyer Exp $); #else static const char sccsid[] = @(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed; static const char rcsid[] = @(#)Id: ip_fil_netbsd.c,v 1.1.1.2 2012/07/22 13:45:17 darrenr Exp; @@ -1209,7 +1209,9 @@ ipf_fastroute(mb_t *m0, mb_t **mpp, fr_i ip-ip_sum = in_cksum(m, hlen); # endif /* M_CSUM_IPv4 */ + KERNEL_LOCK(1, NULL); error = (*ifp-if_output)(ifp, m, dst, rt); + KERNEL_UNLOCK_ONE(NULL); goto done; } @@ -1296,7 +1298,9 @@ sendorfree: m0 = m-m_act; m-m_act = 0; if (error == 0) { + KERNEL_LOCK(1, NULL); error = (*ifp-if_output)(ifp, m, dst, rt); + KERNEL_UNLOCK_ONE(NULL); } else { FREE_MB_T(m); } Index: src/sys/net/if_ethersubr.c diff -u src/sys/net/if_ethersubr.c:1.196 src/sys/net/if_ethersubr.c:1.197 --- src/sys/net/if_ethersubr.c:1.196 Tue Feb 25 22:42:06 2014 +++ src/sys/net/if_ethersubr.c Tue May 13 19:36:16 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: if_ethersubr.c,v 1.196 2014/02/25 22:42:06 pooka Exp $ */ +/* $NetBSD: if_ethersubr.c,v 1.197 2014/05/13 19:36:16 bouyer Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -61,7 +61,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: if_ethersubr.c,v 1.196 2014/02/25 22:42:06 pooka Exp $); +__KERNEL_RCSID(0, $NetBSD: if_ethersubr.c,v 1.197 2014/05/13 19:36:16 bouyer Exp $); #include opt_inet.h #include opt_atalk.h @@ -211,6 +211,8 @@ ether_output(struct ifnet * const ifp0, struct at_ifaddr *aa; #endif /* NETATALK */ + KASSERT(KERNEL_LOCKED_P()); + #ifdef MBUFTRACE m_claimm(m, ifp-if_mowner); #endif Index: src/sys/net/if_loop.c diff -u src/sys/net/if_loop.c:1.76 src/sys/net/if_loop.c:1.77 --- src/sys/net/if_loop.c:1.76 Fri Mar 1 18:25:56 2013 +++ src/sys/net/if_loop.c Tue May 13 19:36:16 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: if_loop.c,v 1.76 2013/03/01 18:25:56 joerg Exp $ */ +/* $NetBSD: if_loop.c,v 1.77 2014/05/13 19:36:16 bouyer Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -65,7 +65,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: if_loop.c,v 1.76 2013/03/01 18:25:56 joerg Exp $); +__KERNEL_RCSID(0, $NetBSD: if_loop.c,v 1.77 2014/05/13 19:36:16 bouyer Exp $); #include opt_inet.h #include opt_atalk.h @@ -216,6 +216,8 @@ looutput(struct ifnet *ifp, struct mbuf int csum_flags; MCLAIM(m, ifp-if_mowner); + KASSERT(KERNEL_LOCKED_P()); + if ((m-m_flags M_PKTHDR) == 0) panic(looutput: no header mbuf); if (ifp-if_flags IFF_LOOPBACK) Index: src/sys/net/if_vlan.c diff -u src/sys/net/if_vlan.c:1.69 src/sys/net/if_vlan.c:1.70 --- src/sys/net/if_vlan.c:1.69 Wed Oct 19 22:07:09 2011 +++ src/sys/net/if_vlan.c Tue May 13 19:36:16 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: if_vlan.c,v 1.69 2011/10/19 22:07:09 dyoung Exp $ */ +/* $NetBSD: if_vlan.c,v 1.70 2014/05/13 19:36:16 bouyer Exp $ */ /*- * Copyright (c) 2000, 2001 The NetBSD Foundation, Inc. @@ -78,7 +78,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: if_vlan.c,v 1.69 2011/10/19 22:07:09 dyoung Exp $); +__KERNEL_RCSID(0, $NetBSD: if_vlan.c,v 1.70 2014/05/13 19:36:16 bouyer Exp $); #include opt_inet.h @@ -681,6 +681,8 @@ vlan_start(struct ifnet *ifp) int error; ALTQ_DECL(struct altq_pktattr pktattr;) + KASSERT(KERNEL_LOCKED_P()); + ifp-if_flags |= IFF_OACTIVE; for (;;) { Index:
CVS commit: src/sys/arch/sparc64/sparc64
Module Name:src Committed By: palle Date: Tue May 13 19:39:40 UTC 2014 Modified Files: src/sys/arch/sparc64/sparc64: machdep.c Log Message: Use proper SYSCTL_DESCR() macro To generate a diff of this commit: cvs rdiff -u -r1.276 -r1.277 src/sys/arch/sparc64/sparc64/machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc64/sparc64/machdep.c diff -u src/sys/arch/sparc64/sparc64/machdep.c:1.276 src/sys/arch/sparc64/sparc64/machdep.c:1.277 --- src/sys/arch/sparc64/sparc64/machdep.c:1.276 Tue May 13 19:14:05 2014 +++ src/sys/arch/sparc64/sparc64/machdep.c Tue May 13 19:39:40 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.276 2014/05/13 19:14:05 palle Exp $ */ +/* $NetBSD: machdep.c,v 1.277 2014/05/13 19:39:40 palle Exp $ */ /*- * Copyright (c) 1996, 1997, 1998 The NetBSD Foundation, Inc. @@ -71,7 +71,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: machdep.c,v 1.276 2014/05/13 19:14:05 palle Exp $); +__KERNEL_RCSID(0, $NetBSD: machdep.c,v 1.277 2014/05/13 19:39:40 palle Exp $); #include opt_ddb.h #include opt_multiprocessor.h @@ -460,7 +460,7 @@ SYSCTL_SETUP(sysctl_machdep_setup, sysc sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE, CTLTYPE_INT, vis, - Supported version of VIS instruction set, + SYSCTL_DESCR(supported version of VIS instruction set), NULL, get_vis(), NULL, 0, CTL_MACHDEP, CPU_VIS, CTL_EOL); }
CVS commit: src/sys/sys
Module Name:src Committed By: christos Date: Tue May 13 19:58:23 UTC 2014 Modified Files: src/sys/sys: cdefs_elf.h Log Message: re-use a macro. To generate a diff of this commit: cvs rdiff -u -r1.43 -r1.44 src/sys/sys/cdefs_elf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/sys/cdefs_elf.h diff -u src/sys/sys/cdefs_elf.h:1.43 src/sys/sys/cdefs_elf.h:1.44 --- src/sys/sys/cdefs_elf.h:1.43 Thu Feb 7 13:53:34 2013 +++ src/sys/sys/cdefs_elf.h Tue May 13 15:58:23 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: cdefs_elf.h,v 1.43 2013/02/07 18:53:34 gdt Exp $ */ +/* $NetBSD: cdefs_elf.h,v 1.44 2014/05/13 19:58:23 christos Exp $ */ /* * Copyright (c) 1995, 1996 Carnegie-Mellon University. @@ -152,13 +152,13 @@ #define __link_set_add_data2(set, sym, n) __link_set_make_entry2(set, sym, n) #define __link_set_add_bss2(set, sym, n)__link_set_make_entry2(set, sym, n) -#define __link_set_decl(set, ptype) \ - extern ptype * const __start_link_set_##set[] __dso_hidden; \ - extern ptype * const __stop_link_set_##set[] __dso_hidden - #define __link_set_start(set) (__start_link_set_##set) #define __link_set_end(set) (__stop_link_set_##set) +#define __link_set_decl(set, ptype) \ + extern ptype * const __link_set_start(set)[] __dso_hidden; \ + extern ptype * const __link_set_end(set)[] __dso_hidden + #define __link_set_count(set) \ (__link_set_end(set) - __link_set_start(set))
CVS commit: src/external/bsd/top/dist
Module Name:src Committed By: christos Date: Tue May 13 20:06:41 UTC 2014 Modified Files: src/external/bsd/top/dist: display.c Log Message: Don't die if we resize to smaller than Y_LINES. The display could do better, but it recovers if we grow. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/external/bsd/top/dist/display.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/top/dist/display.c diff -u src/external/bsd/top/dist/display.c:1.9 src/external/bsd/top/dist/display.c:1.10 --- src/external/bsd/top/dist/display.c:1.9 Sat Jul 3 09:18:57 2010 +++ src/external/bsd/top/dist/display.c Tue May 13 16:06:41 2014 @@ -723,8 +723,9 @@ display_resize() /* adjust total lines on screen to lines available for procs */ if (top_lines y_procs) - return -1; -top_lines -= y_procs; + top_lines = 0; +else + top_lines -= y_procs; /* return number of lines available */ return top_lines;
CVS commit: src/external/bsd/tcpdump/dist
Module Name:src Committed By: christos Date: Tue May 13 20:29:59 UTC 2014 Modified Files: src/external/bsd/tcpdump/dist: tcpdump.c Log Message: When running as root and wanting to write a file and not having CAPNG, don't drop privs, because we cannot open the file if we drop privs. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/tcpdump/dist/tcpdump.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/tcpdump/dist/tcpdump.c diff -u src/external/bsd/tcpdump/dist/tcpdump.c:1.7 src/external/bsd/tcpdump/dist/tcpdump.c:1.8 --- src/external/bsd/tcpdump/dist/tcpdump.c:1.7 Tue Dec 31 12:33:31 2013 +++ src/external/bsd/tcpdump/dist/tcpdump.c Tue May 13 16:29:59 2014 @@ -34,7 +34,7 @@ The Regents of the University of Califor static const char rcsid[] _U_ = @(#) Header: /tcpdump/master/tcpdump/tcpdump.c,v 1.283 2008-09-25 21:45:50 guy Exp (LBL); #else -__RCSID($NetBSD: tcpdump.c,v 1.7 2013/12/31 17:33:31 christos Exp $); +__RCSID($NetBSD: tcpdump.c,v 1.8 2014/05/13 20:29:59 christos Exp $); #endif #endif @@ -1482,8 +1482,12 @@ main(int argc, char **argv) #endif /* HAVE_CAP_NG_H */ if (getuid() == 0 || geteuid() == 0) { - if (username || chroot_dir) + if (username || chroot_dir) { +#ifndef HAVE_CAP_NG_H + if (!WFileName) +#endif droproot(username, chroot_dir); + } } #endif /* WIN32 */
CVS commit: [netbsd-6] xsrc
Module Name:xsrc Committed By: msaitoh Date: Wed May 14 03:34:12 UTC 2014 Modified Files: xsrc/external/mit/libXfont/dist/src/fc [netbsd-6]: fsconvert.c fserve.c xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-6]: dirfile.c xsrc/xfree/xc/lib/font/fc [netbsd-6]: fsconvert.c fserve.c xsrc/xfree/xc/lib/font/fontfile [netbsd-6]: dirfile.c Log Message: Pull up following revision(s) (requested by spz in ticket #1063): xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 Fix multiple vulnerabilities in libXfont: - CVE-2014-0209: integer overflow of allocations in font metadata file parsing When a local user who is already authenticated to the X server adds a new directory to the font path, the X server calls libXfont to open the fonts.dir and fonts.alias files in that directory and add entries to the font tables for every line in it. A large file (~2-4 gb) could cause the allocations to overflow, and allow the remaining data read from the file to overwrite other memory in the heap. Affected functions: FontFileAddEntry(), lexAlias() - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data. Affected functions: _fs_recv_conn_setup(), fs_read_open_font(), fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(), fs_read_list(), fs_read_list_info() - CVE-2014-0211: integer overflows calculating memory needs for xfs replies These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer. Affected functions: fs_get_reply(), fs_alloc_glyphs(), fs_read_extent_info() See also: http://lists.x.org/archives/xorg-announce/2014-May/002431.html To generate a diff of this commit: cvs rdiff -u -r1.1.1.2 -r1.1.1.2.2.1 \ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \ xsrc/external/mit/libXfont/dist/src/fc/fserve.c cvs rdiff -u -r1.1.1.2 -r1.1.1.2.2.1 \ xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c cvs rdiff -u -r1.4 -r1.4.26.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \ xsrc/xfree/xc/lib/font/fc/fserve.c cvs rdiff -u -r1.4 -r1.4.14.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.2 xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.2.2.1 --- xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.2 Wed Jun 10 07:33:40 2009 +++ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c Wed May 14 03:34:12 2014 @@ -120,6 +120,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp for (i = 0; i nprops; i++, dprop++, is_str++) { memcpy(local_off, off_adr, SIZEOF(fsPropOffset)); + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-name = MakeAtom(pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -127,10 +131,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp dprop-value = local_off.value.position; } else { *is_str = TRUE; + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-value = (INT32) MakeAtom(pdc[local_off.value.position], local_off.value.length, 1); if (dprop-value == BAD_RESOURCE) { + bail: free (pfi-props); pfi-nprops = 0; pfi-props = 0; @@ -714,7 +723,12 @@ fs_alloc_glyphs (FontPtr pFont, int size FSGlyphPtr glyphs; FSFontPtr fsfont = (FSFontPtr) pFont-fontPrivate; -glyphs = malloc (sizeof (FSGlyphRec) + size); +if (size (INT_MAX - sizeof (FSGlyphRec))) + glyphs = malloc (sizeof (FSGlyphRec) + size); +else +glyphs = NULL; +if (glyphs == NULL) +return NULL; glyphs-next = fsfont-glyphs; fsfont-glyphs = glyphs; return (pointer) (glyphs + 1); Index:
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: msaitoh Date: Wed May 14 03:52:21 UTC 2014 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket 1063. To generate a diff of this commit: cvs rdiff -u -r1.1.2.108 -r1.1.2.109 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.108 src/doc/CHANGES-6.2:1.1.2.109 --- src/doc/CHANGES-6.2:1.1.2.108 Wed Apr 30 05:38:31 2014 +++ src/doc/CHANGES-6.2 Wed May 14 03:52:21 2014 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.108 2014/04/30 05:38:31 msaitoh Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.109 2014/05/14 03:52:21 msaitoh Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -2192,3 +2192,19 @@ lib/libc/net/sethostent.c 1.20 Fix memory leak. This bug was introduced after releasing NetBSD 6.1. [christos, ticket #1036] + +xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 +xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 +xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 +xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 +xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 +xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 + + Fix multiple vulnerabilities in libXfont: + - CVE-2014-0209: integer overflow of allocations in font metadata + file parsing + - CVE-2014-0210: unvalidated length fields when parsing xfs protocol + replies + - CVE-2014-0211: integer overflows calculating memory needs for xfs + replies + [spz, ticket #1063]
CVS commit: [netbsd-6-1] xsrc
Module Name:xsrc Committed By: msaitoh Date: Wed May 14 03:53:16 UTC 2014 Modified Files: xsrc/external/mit/libXfont/dist/src/fc [netbsd-6-1]: fsconvert.c fserve.c xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-6-1]: dirfile.c xsrc/xfree/xc/lib/font/fc [netbsd-6-1]: fsconvert.c fserve.c xsrc/xfree/xc/lib/font/fontfile [netbsd-6-1]: dirfile.c Log Message: Pull up following revision(s) (requested by spz in ticket #1063): xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 Fix multiple vulnerabilities in libXfont: - CVE-2014-0209: integer overflow of allocations in font metadata file parsing When a local user who is already authenticated to the X server adds a new directory to the font path, the X server calls libXfont to open the fonts.dir and fonts.alias files in that directory and add entries to the font tables for every line in it. A large file (~2-4 gb) could cause the allocations to overflow, and allow the remaining data read from the file to overwrite other memory in the heap. Affected functions: FontFileAddEntry(), lexAlias() - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data. Affected functions: _fs_recv_conn_setup(), fs_read_open_font(), fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(), fs_read_list(), fs_read_list_info() - CVE-2014-0211: integer overflows calculating memory needs for xfs replies These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer. Affected functions: fs_get_reply(), fs_alloc_glyphs(), fs_read_extent_info() See also: http://lists.x.org/archives/xorg-announce/2014-May/002431.html To generate a diff of this commit: cvs rdiff -u -r1.1.1.2 -r1.1.1.2.6.1 \ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \ xsrc/external/mit/libXfont/dist/src/fc/fserve.c cvs rdiff -u -r1.1.1.2 -r1.1.1.2.6.1 \ xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c cvs rdiff -u -r1.4 -r1.4.32.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \ xsrc/xfree/xc/lib/font/fc/fserve.c cvs rdiff -u -r1.4 -r1.4.20.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.2 xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.2.6.1 --- xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.2 Wed Jun 10 07:33:40 2009 +++ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c Wed May 14 03:53:15 2014 @@ -120,6 +120,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp for (i = 0; i nprops; i++, dprop++, is_str++) { memcpy(local_off, off_adr, SIZEOF(fsPropOffset)); + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-name = MakeAtom(pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -127,10 +131,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp dprop-value = local_off.value.position; } else { *is_str = TRUE; + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-value = (INT32) MakeAtom(pdc[local_off.value.position], local_off.value.length, 1); if (dprop-value == BAD_RESOURCE) { + bail: free (pfi-props); pfi-nprops = 0; pfi-props = 0; @@ -714,7 +723,12 @@ fs_alloc_glyphs (FontPtr pFont, int size FSGlyphPtr glyphs; FSFontPtr fsfont = (FSFontPtr) pFont-fontPrivate; -glyphs = malloc (sizeof (FSGlyphRec) + size); +if (size (INT_MAX - sizeof (FSGlyphRec))) + glyphs = malloc (sizeof (FSGlyphRec) + size); +else +glyphs = NULL; +if (glyphs == NULL) +return NULL; glyphs-next = fsfont-glyphs; fsfont-glyphs = glyphs; return (pointer) (glyphs + 1);
CVS commit: [netbsd-6-1] src/doc
Module Name:src Committed By: msaitoh Date: Wed May 14 03:54:55 UTC 2014 Modified Files: src/doc [netbsd-6-1]: CHANGES-6.1.5 Log Message: Ticket 1063. To generate a diff of this commit: cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-6.1.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.1.5 diff -u src/doc/CHANGES-6.1.5:1.1.2.4 src/doc/CHANGES-6.1.5:1.1.2.5 --- src/doc/CHANGES-6.1.5:1.1.2.4 Mon Apr 21 21:04:25 2014 +++ src/doc/CHANGES-6.1.5 Wed May 14 03:54:55 2014 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.1.5,v 1.1.2.4 2014/04/21 21:04:25 bouyer Exp $ +# $NetBSD: CHANGES-6.1.5,v 1.1.2.5 2014/05/14 03:54:55 msaitoh Exp $ A complete list of changes from the NetBSD 6.1.4 release to the NetBSD 6.1.5 release: @@ -73,3 +73,18 @@ sys/compat/linux/common/linux_exec_elf32 Rewrite the code so that we don't need to allocate the whole section. [maxv, ticket #1051] +xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 +xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 +xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 +xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 +xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 +xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 + + Fix multiple vulnerabilities in libXfont: + - CVE-2014-0209: integer overflow of allocations in font metadata + file parsing + - CVE-2014-0210: unvalidated length fields when parsing xfs protocol + replies + - CVE-2014-0211: integer overflows calculating memory needs for xfs + replies + [spz, ticket #1063]
CVS commit: [netbsd-6-0] xsrc
Module Name:xsrc Committed By: msaitoh Date: Wed May 14 03:55:40 UTC 2014 Modified Files: xsrc/external/mit/libXfont/dist/src/fc [netbsd-6-0]: fsconvert.c fserve.c xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-6-0]: dirfile.c xsrc/xfree/xc/lib/font/fc [netbsd-6-0]: fsconvert.c fserve.c xsrc/xfree/xc/lib/font/fontfile [netbsd-6-0]: dirfile.c Log Message: Pull up following revision(s) (requested by spz in ticket #1063): xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 Fix multiple vulnerabilities in libXfont: - CVE-2014-0209: integer overflow of allocations in font metadata file parsing When a local user who is already authenticated to the X server adds a new directory to the font path, the X server calls libXfont to open the fonts.dir and fonts.alias files in that directory and add entries to the font tables for every line in it. A large file (~2-4 gb) could cause the allocations to overflow, and allow the remaining data read from the file to overwrite other memory in the heap. Affected functions: FontFileAddEntry(), lexAlias() - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data. Affected functions: _fs_recv_conn_setup(), fs_read_open_font(), fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(), fs_read_list(), fs_read_list_info() - CVE-2014-0211: integer overflows calculating memory needs for xfs replies These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer. Affected functions: fs_get_reply(), fs_alloc_glyphs(), fs_read_extent_info() See also: http://lists.x.org/archives/xorg-announce/2014-May/002431.html To generate a diff of this commit: cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \ xsrc/external/mit/libXfont/dist/src/fc/fserve.c cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \ xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c cvs rdiff -u -r1.4 -r1.4.28.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \ xsrc/xfree/xc/lib/font/fc/fserve.c cvs rdiff -u -r1.4 -r1.4.16.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.2 xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.2.4.1 --- xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.2 Wed Jun 10 07:33:40 2009 +++ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c Wed May 14 03:55:40 2014 @@ -120,6 +120,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp for (i = 0; i nprops; i++, dprop++, is_str++) { memcpy(local_off, off_adr, SIZEOF(fsPropOffset)); + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-name = MakeAtom(pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -127,10 +131,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp dprop-value = local_off.value.position; } else { *is_str = TRUE; + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-value = (INT32) MakeAtom(pdc[local_off.value.position], local_off.value.length, 1); if (dprop-value == BAD_RESOURCE) { + bail: free (pfi-props); pfi-nprops = 0; pfi-props = 0; @@ -714,7 +723,12 @@ fs_alloc_glyphs (FontPtr pFont, int size FSGlyphPtr glyphs; FSFontPtr fsfont = (FSFontPtr) pFont-fontPrivate; -glyphs = malloc (sizeof (FSGlyphRec) + size); +if (size (INT_MAX - sizeof (FSGlyphRec))) + glyphs = malloc (sizeof (FSGlyphRec) + size); +else +glyphs = NULL; +if (glyphs == NULL) +return NULL; glyphs-next = fsfont-glyphs; fsfont-glyphs = glyphs; return (pointer) (glyphs + 1);
CVS commit: [netbsd-6-0] src/doc
Module Name:src Committed By: msaitoh Date: Wed May 14 03:56:31 UTC 2014 Modified Files: src/doc [netbsd-6-0]: CHANGES-6.0.6 Log Message: Ticket 1063. To generate a diff of this commit: cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-6.0.6 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.0.6 diff -u src/doc/CHANGES-6.0.6:1.1.2.4 src/doc/CHANGES-6.0.6:1.1.2.5 --- src/doc/CHANGES-6.0.6:1.1.2.4 Mon Apr 21 21:04:27 2014 +++ src/doc/CHANGES-6.0.6 Wed May 14 03:56:31 2014 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.0.6,v 1.1.2.4 2014/04/21 21:04:27 bouyer Exp $ +# $NetBSD: CHANGES-6.0.6,v 1.1.2.5 2014/05/14 03:56:31 msaitoh Exp $ A complete list of changes from the NetBSD 6.0.5 release to the NetBSD 6.0.6 release: @@ -73,3 +73,18 @@ sys/compat/linux/common/linux_exec_elf32 Rewrite the code so that we don't need to allocate the whole section. [maxv, ticket #1051] +xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 +xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 +xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 +xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 +xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 +xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 + + Fix multiple vulnerabilities in libXfont: + - CVE-2014-0209: integer overflow of allocations in font metadata + file parsing + - CVE-2014-0210: unvalidated length fields when parsing xfs protocol + replies + - CVE-2014-0211: integer overflows calculating memory needs for xfs + replies + [spz, ticket #1063]
CVS commit: src/sys/external/bsd/drm2/drm
Module Name:src Committed By: riastradh Date: Wed May 14 04:38:49 UTC 2014 Modified Files: src/sys/external/bsd/drm2/drm: drm_memory.c Log Message: Fix error branch in drm_limit_dma_space. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/external/bsd/drm2/drm/drm_memory.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/external/bsd/drm2/drm/drm_memory.c diff -u src/sys/external/bsd/drm2/drm/drm_memory.c:1.2 src/sys/external/bsd/drm2/drm/drm_memory.c:1.3 --- src/sys/external/bsd/drm2/drm/drm_memory.c:1.2 Tue Mar 18 18:20:42 2014 +++ src/sys/external/bsd/drm2/drm/drm_memory.c Wed May 14 04:38:49 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: drm_memory.c,v 1.2 2014/03/18 18:20:42 riastradh Exp $ */ +/* $NetBSD: drm_memory.c,v 1.3 2014/05/14 04:38:49 riastradh Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: drm_memory.c,v 1.2 2014/03/18 18:20:42 riastradh Exp $); +__KERNEL_RCSID(0, $NetBSD: drm_memory.c,v 1.3 2014/05/14 04:38:49 riastradh Exp $); #ifdef _KERNEL_OPT #include agp_i810.h @@ -253,7 +253,7 @@ int drm_limit_dma_space(struct drm_device *dev, resource_size_t min_addr, resource_size_t max_addr) { - int error; + int ret; KASSERT(min_addr = max_addr); @@ -274,11 +274,13 @@ drm_limit_dma_space(struct drm_device *d * the caller should try to allocate DMA-safe memory on failure * anyway, but...paranoia). */ - error = bus_dmatag_subregion(dev-bus_dmat, min_addr, max_addr, + /* XXX errno NetBSD-Linux */ + ret = -bus_dmatag_subregion(dev-bus_dmat, min_addr, max_addr, dev-dmat, BUS_DMA_WAITOK); - if (error) { + if (ret) { dev-dmat = dev-bus_dmat; - return error; + dev-dmat_subregion_p = false; + return ret; } /*
CVS commit: [netbsd-5] src/sys/compat/linux/common
Module Name:src Committed By: msaitoh Date: Wed May 14 05:14:47 UTC 2014 Modified Files: src/sys/compat/linux/common [netbsd-5]: linux_exec_elf32.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1902): src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch A specially-crafted binary could easily control a kernel array index. Add some checks to ensure that nothing will be read outside the allocated area. Rewrite the code so that we don't need to allocate the whole section. Spotted by several developers, patch from chs@/enami@ To generate a diff of this commit: cvs rdiff -u -r1.81 -r1.81.10.1 \ src/sys/compat/linux/common/linux_exec_elf32.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/common/linux_exec_elf32.c diff -u src/sys/compat/linux/common/linux_exec_elf32.c:1.81 src/sys/compat/linux/common/linux_exec_elf32.c:1.81.10.1 --- src/sys/compat/linux/common/linux_exec_elf32.c:1.81 Mon Apr 28 20:23:43 2008 +++ src/sys/compat/linux/common/linux_exec_elf32.c Wed May 14 05:14:47 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_exec_elf32.c,v 1.81 2008/04/28 20:23:43 martin Exp $ */ +/* $NetBSD: linux_exec_elf32.c,v 1.81.10.1 2014/05/14 05:14:47 msaitoh Exp $ */ /*- * Copyright (c) 1995, 1998, 2000, 2001 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: linux_exec_elf32.c,v 1.81 2008/04/28 20:23:43 martin Exp $); +__KERNEL_RCSID(0, $NetBSD: linux_exec_elf32.c,v 1.81.10.1 2014/05/14 05:14:47 msaitoh Exp $); #ifndef ELFSIZE /* XXX should die */ @@ -89,50 +89,43 @@ ELFNAME2(linux,atexit_signature)(l, epp, struct exec_package *epp; Elf_Ehdr *eh; { + Elf_Shdr *sh; size_t shsize; - int strndx; + u_int shstrndx; size_t i; static const char signature[] = __libc_atexit; - char *strtable = NULL; - Elf_Shdr *sh; - + const size_t sigsz = sizeof(signature); + char tbuf[sizeof(signature)]; int error; - /* - * load the section header table - */ + /* Load the section header table. */ shsize = eh-e_shnum * sizeof(Elf_Shdr); sh = (Elf_Shdr *) malloc(shsize, M_TEMP, M_WAITOK); error = exec_read_from(l, epp-ep_vp, eh-e_shoff, sh, shsize); if (error) goto out; - /* - * Now let's find the string table. If it does not exists, give up. - */ - strndx = (int)(eh-e_shstrndx); - if (strndx == SHN_UNDEF) { + /* Now let's find the string table. If it does not exist, give up. */ + shstrndx = eh-e_shstrndx; + if (shstrndx == SHN_UNDEF || shstrndx = eh-e_shnum) { error = ENOEXEC; goto out; } - /* - * strndx is the index in section header table of the string table - * section get the whole string table in strtable, and then we get access to the names - * s-sh_name is the offset of the section name in strtable. - */ - strtable = malloc(sh[strndx].sh_size, M_TEMP, M_WAITOK); - error = exec_read_from(l, epp-ep_vp, sh[strndx].sh_offset, strtable, - sh[strndx].sh_size); - if (error) - goto out; - + /* Check if any section has the name we're looking for. */ + const off_t stroff = sh[shstrndx].sh_offset; for (i = 0; i eh-e_shnum; i++) { Elf_Shdr *s = sh[i]; - if (!memcmp((void*)((strtable[s-sh_name])), signature, -sizeof(signature))) { - DPRINTF((linux_atexit_sig=%s\n, - (strtable[s-sh_name]))); + + if (s-sh_name + sigsz sh[shstrndx].sh_size) + continue; + + error = exec_read_from(l, epp-ep_vp, stroff + s-sh_name, tbuf, + sigsz); + if (error) + goto out; + if (!memcmp(tbuf, signature, sigsz)) { + DPRINTF((linux_atexit_sig=%s\n, tbuf)); error = 0; goto out; } @@ -141,8 +134,6 @@ ELFNAME2(linux,atexit_signature)(l, epp, out: free(sh, M_TEMP); - if (strtable) - free(strtable, M_TEMP); return (error); } #endif @@ -216,59 +207,48 @@ out: #ifdef LINUX_DEBUGLINK_SIGNATURE /* - * Look for a .gnu_debuglink, specific to x86_64 interpeter + * Look for a .gnu_debuglink, specific to x86_64 interpreter */ int -ELFNAME2(linux,debuglink_signature)(l, epp, eh) - struct lwp *l; - struct exec_package *epp; - Elf_Ehdr *eh; +ELFNAME2(linux,debuglink_signature)(struct lwp *l, struct exec_package *epp, Elf_Ehdr *eh) { + Elf_Shdr *sh; size_t shsize; - int strndx; + u_int shstrndx; size_t i; static const char signature[] = .gnu_debuglink; - char *strtable = NULL; - Elf_Shdr *sh; - + const size_t sigsz = sizeof(signature); + char tbuf[sizeof(signature)]; int error; - /* - * load the section header table - */ + /* Load the section header table. */ shsize = eh-e_shnum * sizeof(Elf_Shdr); sh = (Elf_Shdr *) malloc(shsize, M_TEMP, M_WAITOK); error = exec_read_from(l, epp-ep_vp, eh-e_shoff, sh, shsize); if (error) goto out; - /* - * Now let's find the string table. If it does not exists, give up. - */ - strndx = (int)(eh-e_shstrndx); - if (strndx == SHN_UNDEF) { + /* Now let's find the string table. If it
CVS commit: [netbsd-5] src/doc
Module Name:src Committed By: msaitoh Date: Wed May 14 05:15:06 UTC 2014 Modified Files: src/doc [netbsd-5]: CHANGES-5.3 Log Message: Ticket 1902. To generate a diff of this commit: cvs rdiff -u -r1.1.2.52 -r1.1.2.53 src/doc/CHANGES-5.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-5.3 diff -u src/doc/CHANGES-5.3:1.1.2.52 src/doc/CHANGES-5.3:1.1.2.53 --- src/doc/CHANGES-5.3:1.1.2.52 Wed Apr 30 05:41:30 2014 +++ src/doc/CHANGES-5.3 Wed May 14 05:15:06 2014 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-5.3,v 1.1.2.52 2014/04/30 05:41:30 msaitoh Exp $ +# $NetBSD: CHANGES-5.3,v 1.1.2.53 2014/05/14 05:15:06 msaitoh Exp $ A complete list of changes from the NetBSD 5.2 release to the NetBSD 5.3 release: @@ -765,3 +765,12 @@ sys/ufs/mfs/mfs_vfsops.c 1.107 a NULL pointer when particular arguments are given by a user. [maxv, ticket #1901] +src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch + + A specially-crafted binary could easily control a kernel array index. + Add some checks to ensure that nothing will be read outside the + allocated area. Rewrite the code so that we don't need to allocate + the whole section. Spotted by several developers, patch from + chs@/enami@ + + [maxv, ticket #1902]
CVS commit: [netbsd-5-2] src/sys/compat/linux/common
Module Name:src Committed By: msaitoh Date: Wed May 14 05:15:40 UTC 2014 Modified Files: src/sys/compat/linux/common [netbsd-5-2]: linux_exec_elf32.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1902): src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch A specially-crafted binary could easily control a kernel array index. Add some checks to ensure that nothing will be read outside the allocated area. Rewrite the code so that we don't need to allocate the whole section. Spotted by several developers, patch from chs@/enami@ To generate a diff of this commit: cvs rdiff -u -r1.81 -r1.81.20.1 \ src/sys/compat/linux/common/linux_exec_elf32.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/common/linux_exec_elf32.c diff -u src/sys/compat/linux/common/linux_exec_elf32.c:1.81 src/sys/compat/linux/common/linux_exec_elf32.c:1.81.20.1 --- src/sys/compat/linux/common/linux_exec_elf32.c:1.81 Mon Apr 28 20:23:43 2008 +++ src/sys/compat/linux/common/linux_exec_elf32.c Wed May 14 05:15:39 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_exec_elf32.c,v 1.81 2008/04/28 20:23:43 martin Exp $ */ +/* $NetBSD: linux_exec_elf32.c,v 1.81.20.1 2014/05/14 05:15:39 msaitoh Exp $ */ /*- * Copyright (c) 1995, 1998, 2000, 2001 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: linux_exec_elf32.c,v 1.81 2008/04/28 20:23:43 martin Exp $); +__KERNEL_RCSID(0, $NetBSD: linux_exec_elf32.c,v 1.81.20.1 2014/05/14 05:15:39 msaitoh Exp $); #ifndef ELFSIZE /* XXX should die */ @@ -89,50 +89,43 @@ ELFNAME2(linux,atexit_signature)(l, epp, struct exec_package *epp; Elf_Ehdr *eh; { + Elf_Shdr *sh; size_t shsize; - int strndx; + u_int shstrndx; size_t i; static const char signature[] = __libc_atexit; - char *strtable = NULL; - Elf_Shdr *sh; - + const size_t sigsz = sizeof(signature); + char tbuf[sizeof(signature)]; int error; - /* - * load the section header table - */ + /* Load the section header table. */ shsize = eh-e_shnum * sizeof(Elf_Shdr); sh = (Elf_Shdr *) malloc(shsize, M_TEMP, M_WAITOK); error = exec_read_from(l, epp-ep_vp, eh-e_shoff, sh, shsize); if (error) goto out; - /* - * Now let's find the string table. If it does not exists, give up. - */ - strndx = (int)(eh-e_shstrndx); - if (strndx == SHN_UNDEF) { + /* Now let's find the string table. If it does not exist, give up. */ + shstrndx = eh-e_shstrndx; + if (shstrndx == SHN_UNDEF || shstrndx = eh-e_shnum) { error = ENOEXEC; goto out; } - /* - * strndx is the index in section header table of the string table - * section get the whole string table in strtable, and then we get access to the names - * s-sh_name is the offset of the section name in strtable. - */ - strtable = malloc(sh[strndx].sh_size, M_TEMP, M_WAITOK); - error = exec_read_from(l, epp-ep_vp, sh[strndx].sh_offset, strtable, - sh[strndx].sh_size); - if (error) - goto out; - + /* Check if any section has the name we're looking for. */ + const off_t stroff = sh[shstrndx].sh_offset; for (i = 0; i eh-e_shnum; i++) { Elf_Shdr *s = sh[i]; - if (!memcmp((void*)((strtable[s-sh_name])), signature, -sizeof(signature))) { - DPRINTF((linux_atexit_sig=%s\n, - (strtable[s-sh_name]))); + + if (s-sh_name + sigsz sh[shstrndx].sh_size) + continue; + + error = exec_read_from(l, epp-ep_vp, stroff + s-sh_name, tbuf, + sigsz); + if (error) + goto out; + if (!memcmp(tbuf, signature, sigsz)) { + DPRINTF((linux_atexit_sig=%s\n, tbuf)); error = 0; goto out; } @@ -141,8 +134,6 @@ ELFNAME2(linux,atexit_signature)(l, epp, out: free(sh, M_TEMP); - if (strtable) - free(strtable, M_TEMP); return (error); } #endif @@ -216,59 +207,48 @@ out: #ifdef LINUX_DEBUGLINK_SIGNATURE /* - * Look for a .gnu_debuglink, specific to x86_64 interpeter + * Look for a .gnu_debuglink, specific to x86_64 interpreter */ int -ELFNAME2(linux,debuglink_signature)(l, epp, eh) - struct lwp *l; - struct exec_package *epp; - Elf_Ehdr *eh; +ELFNAME2(linux,debuglink_signature)(struct lwp *l, struct exec_package *epp, Elf_Ehdr *eh) { + Elf_Shdr *sh; size_t shsize; - int strndx; + u_int shstrndx; size_t i; static const char signature[] = .gnu_debuglink; - char *strtable = NULL; - Elf_Shdr *sh; - + const size_t sigsz = sizeof(signature); + char tbuf[sizeof(signature)]; int error; - /* - * load the section header table - */ + /* Load the section header table. */ shsize = eh-e_shnum * sizeof(Elf_Shdr); sh = (Elf_Shdr *) malloc(shsize, M_TEMP, M_WAITOK); error = exec_read_from(l, epp-ep_vp, eh-e_shoff, sh, shsize); if (error) goto out; - /* - * Now let's find the string table. If it does not exists, give up. - */ - strndx = (int)(eh-e_shstrndx); - if (strndx == SHN_UNDEF) { + /* Now let's find the string table. If it
CVS commit: [netbsd-5-2] src/doc
Module Name:src Committed By: msaitoh Date: Wed May 14 05:16:02 UTC 2014 Modified Files: src/doc [netbsd-5-2]: CHANGES-5.2.3 Log Message: Ticket 1902. To generate a diff of this commit: cvs rdiff -u -r1.1.2.3 -r1.1.2.4 src/doc/CHANGES-5.2.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-5.2.3 diff -u src/doc/CHANGES-5.2.3:1.1.2.3 src/doc/CHANGES-5.2.3:1.1.2.4 --- src/doc/CHANGES-5.2.3:1.1.2.3 Mon Apr 28 16:06:47 2014 +++ src/doc/CHANGES-5.2.3 Wed May 14 05:16:02 2014 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-5.2.3,v 1.1.2.3 2014/04/28 16:06:47 sborrill Exp $ +# $NetBSD: CHANGES-5.2.3,v 1.1.2.4 2014/05/14 05:16:02 msaitoh Exp $ A complete list of changes from the NetBSD 5.2.2 release to the NetBSD 5.2.3 release: @@ -49,3 +49,12 @@ sys/ufs/mfs/mfs_vfsops.c 1.107 a NULL pointer when particular arguments are given by a user. [maxv, ticket #1901] +src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch + + A specially-crafted binary could easily control a kernel array index. + Add some checks to ensure that nothing will be read outside the + allocated area. Rewrite the code so that we don't need to allocate + the whole section. Spotted by several developers, patch from + chs@/enami@ + + [maxv, ticket #1902]
CVS commit: [netbsd-5-1] src/sys/compat/linux/common
Module Name:src Committed By: msaitoh Date: Wed May 14 05:18:05 UTC 2014 Modified Files: src/sys/compat/linux/common [netbsd-5-1]: linux_exec_elf32.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1902): src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch A specially-crafted binary could easily control a kernel array index. Add some checks to ensure that nothing will be read outside the allocated area. Rewrite the code so that we don't need to allocate the whole section. Spotted by several developers, patch from chs@/enami@ To generate a diff of this commit: cvs rdiff -u -r1.81 -r1.81.16.1 \ src/sys/compat/linux/common/linux_exec_elf32.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/common/linux_exec_elf32.c diff -u src/sys/compat/linux/common/linux_exec_elf32.c:1.81 src/sys/compat/linux/common/linux_exec_elf32.c:1.81.16.1 --- src/sys/compat/linux/common/linux_exec_elf32.c:1.81 Mon Apr 28 20:23:43 2008 +++ src/sys/compat/linux/common/linux_exec_elf32.c Wed May 14 05:18:05 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_exec_elf32.c,v 1.81 2008/04/28 20:23:43 martin Exp $ */ +/* $NetBSD: linux_exec_elf32.c,v 1.81.16.1 2014/05/14 05:18:05 msaitoh Exp $ */ /*- * Copyright (c) 1995, 1998, 2000, 2001 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: linux_exec_elf32.c,v 1.81 2008/04/28 20:23:43 martin Exp $); +__KERNEL_RCSID(0, $NetBSD: linux_exec_elf32.c,v 1.81.16.1 2014/05/14 05:18:05 msaitoh Exp $); #ifndef ELFSIZE /* XXX should die */ @@ -89,50 +89,43 @@ ELFNAME2(linux,atexit_signature)(l, epp, struct exec_package *epp; Elf_Ehdr *eh; { + Elf_Shdr *sh; size_t shsize; - int strndx; + u_int shstrndx; size_t i; static const char signature[] = __libc_atexit; - char *strtable = NULL; - Elf_Shdr *sh; - + const size_t sigsz = sizeof(signature); + char tbuf[sizeof(signature)]; int error; - /* - * load the section header table - */ + /* Load the section header table. */ shsize = eh-e_shnum * sizeof(Elf_Shdr); sh = (Elf_Shdr *) malloc(shsize, M_TEMP, M_WAITOK); error = exec_read_from(l, epp-ep_vp, eh-e_shoff, sh, shsize); if (error) goto out; - /* - * Now let's find the string table. If it does not exists, give up. - */ - strndx = (int)(eh-e_shstrndx); - if (strndx == SHN_UNDEF) { + /* Now let's find the string table. If it does not exist, give up. */ + shstrndx = eh-e_shstrndx; + if (shstrndx == SHN_UNDEF || shstrndx = eh-e_shnum) { error = ENOEXEC; goto out; } - /* - * strndx is the index in section header table of the string table - * section get the whole string table in strtable, and then we get access to the names - * s-sh_name is the offset of the section name in strtable. - */ - strtable = malloc(sh[strndx].sh_size, M_TEMP, M_WAITOK); - error = exec_read_from(l, epp-ep_vp, sh[strndx].sh_offset, strtable, - sh[strndx].sh_size); - if (error) - goto out; - + /* Check if any section has the name we're looking for. */ + const off_t stroff = sh[shstrndx].sh_offset; for (i = 0; i eh-e_shnum; i++) { Elf_Shdr *s = sh[i]; - if (!memcmp((void*)((strtable[s-sh_name])), signature, -sizeof(signature))) { - DPRINTF((linux_atexit_sig=%s\n, - (strtable[s-sh_name]))); + + if (s-sh_name + sigsz sh[shstrndx].sh_size) + continue; + + error = exec_read_from(l, epp-ep_vp, stroff + s-sh_name, tbuf, + sigsz); + if (error) + goto out; + if (!memcmp(tbuf, signature, sigsz)) { + DPRINTF((linux_atexit_sig=%s\n, tbuf)); error = 0; goto out; } @@ -141,8 +134,6 @@ ELFNAME2(linux,atexit_signature)(l, epp, out: free(sh, M_TEMP); - if (strtable) - free(strtable, M_TEMP); return (error); } #endif @@ -216,59 +207,48 @@ out: #ifdef LINUX_DEBUGLINK_SIGNATURE /* - * Look for a .gnu_debuglink, specific to x86_64 interpeter + * Look for a .gnu_debuglink, specific to x86_64 interpreter */ int -ELFNAME2(linux,debuglink_signature)(l, epp, eh) - struct lwp *l; - struct exec_package *epp; - Elf_Ehdr *eh; +ELFNAME2(linux,debuglink_signature)(struct lwp *l, struct exec_package *epp, Elf_Ehdr *eh) { + Elf_Shdr *sh; size_t shsize; - int strndx; + u_int shstrndx; size_t i; static const char signature[] = .gnu_debuglink; - char *strtable = NULL; - Elf_Shdr *sh; - + const size_t sigsz = sizeof(signature); + char tbuf[sizeof(signature)]; int error; - /* - * load the section header table - */ + /* Load the section header table. */ shsize = eh-e_shnum * sizeof(Elf_Shdr); sh = (Elf_Shdr *) malloc(shsize, M_TEMP, M_WAITOK); error = exec_read_from(l, epp-ep_vp, eh-e_shoff, sh, shsize); if (error) goto out; - /* - * Now let's find the string table. If it does not exists, give up. - */ - strndx = (int)(eh-e_shstrndx); - if (strndx == SHN_UNDEF) { + /* Now let's find the string table. If it
CVS commit: [netbsd-5-1] src/doc
Module Name:src Committed By: msaitoh Date: Wed May 14 05:18:27 UTC 2014 Modified Files: src/doc [netbsd-5-1]: CHANGES-5.1.5 Log Message: Ticket 1902. To generate a diff of this commit: cvs rdiff -u -r1.1.2.3 -r1.1.2.4 src/doc/CHANGES-5.1.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-5.1.5 diff -u src/doc/CHANGES-5.1.5:1.1.2.3 src/doc/CHANGES-5.1.5:1.1.2.4 --- src/doc/CHANGES-5.1.5:1.1.2.3 Mon Apr 28 16:04:09 2014 +++ src/doc/CHANGES-5.1.5 Wed May 14 05:18:26 2014 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-5.1.5,v 1.1.2.3 2014/04/28 16:04:09 sborrill Exp $ +# $NetBSD: CHANGES-5.1.5,v 1.1.2.4 2014/05/14 05:18:26 msaitoh Exp $ A complete list of changes from the NetBSD 5.1.4 release to the NetBSD 5.1.5 release: @@ -49,3 +49,12 @@ sys/ufs/mfs/mfs_vfsops.c 1.107 a NULL pointer when particular arguments are given by a user. [maxv, ticket #1901] +src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch + + A specially-crafted binary could easily control a kernel array index. + Add some checks to ensure that nothing will be read outside the + allocated area. Rewrite the code so that we don't need to allocate + the whole section. Spotted by several developers, patch from + chs@/enami@ + + [maxv, ticket #1902]
CVS commit: [netbsd-5] xsrc
Module Name:xsrc Committed By: msaitoh Date: Wed May 14 05:24:26 UTC 2014 Modified Files: xsrc/external/mit/libXfont/dist/src/fc [netbsd-5]: fsconvert.c fserve.c xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-5]: dirfile.c xsrc/xfree/xc/lib/font/fc [netbsd-5]: fsconvert.c fserve.c xsrc/xfree/xc/lib/font/fontfile [netbsd-5]: dirfile.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1905): src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch A specially-crafted binary could easily control a kernel array index. Add some checks to ensure that nothing will be read outside the allocated area. Rewrite the code so that we don't need to allocate the whole section. Spotted by several developers, patch from chs@/enami@ To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.2 \ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \ xsrc/external/mit/libXfont/dist/src/fc/fserve.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.2 \ xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c cvs rdiff -u -r1.4 -r1.4.20.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \ xsrc/xfree/xc/lib/font/fc/fserve.c cvs rdiff -u -r1.4 -r1.4.8.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.2 --- xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1 Thu Sep 17 03:33:15 2009 +++ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c Wed May 14 05:24:26 2014 @@ -120,6 +120,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp for (i = 0; i nprops; i++, dprop++, is_str++) { memcpy(local_off, off_adr, SIZEOF(fsPropOffset)); + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-name = MakeAtom(pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -127,10 +131,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp dprop-value = local_off.value.position; } else { *is_str = TRUE; + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-value = (INT32) MakeAtom(pdc[local_off.value.position], local_off.value.length, 1); if (dprop-value == BAD_RESOURCE) { + bail: free (pfi-props); pfi-nprops = 0; pfi-props = 0; @@ -714,7 +723,12 @@ fs_alloc_glyphs (FontPtr pFont, int size FSGlyphPtr glyphs; FSFontPtr fsfont = (FSFontPtr) pFont-fontPrivate; -glyphs = malloc (sizeof (FSGlyphRec) + size); +if (size (INT_MAX - sizeof (FSGlyphRec))) + glyphs = malloc (sizeof (FSGlyphRec) + size); +else +glyphs = NULL; +if (glyphs == NULL) +return NULL; glyphs-next = fsfont-glyphs; fsfont-glyphs = glyphs; return (pointer) (glyphs + 1); Index: xsrc/external/mit/libXfont/dist/src/fc/fserve.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.2 --- xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1 Thu Sep 17 03:33:15 2009 +++ xsrc/external/mit/libXfont/dist/src/fc/fserve.c Wed May 14 05:24:26 2014 @@ -73,6 +73,7 @@ in this Software without prior written a #include fservestr.h #include X11/fonts/fontutil.h #include errno.h +#includelimits.h #include time.h #define Time_t time_t @@ -94,6 +95,15 @@ in this Software without prior written a (pci)-descent || \ (pci)-characterWidth) +/* + * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words, + * so this converts for doing size comparisons. + */ +#define LENGTHOF(r)(SIZEOF(r) 2) + +/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ +#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) 2) + extern void ErrorF(const char *f, ...); static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); @@ -209,9 +219,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGeneri rep-sequenceNumber, conn-reqbuffer[i].opcode); } + +#define _fs_reply_failed(rep, name, op) do {\ +if (rep) { \ +if (rep-type == FS_Error) \ +fprintf (stderr, Error: %d Request: %s\n, \ + ((fsError *)rep)-request, #name); \ +else\ +fprintf (stderr, Bad Length for %s Reply: %d %s %d\n, \ + #name, rep-length,
CVS commit: [netbsd-5] src/doc
Module Name:src Committed By: msaitoh Date: Wed May 14 05:24:46 UTC 2014 Modified Files: src/doc [netbsd-5]: CHANGES-5.3 Log Message: Ticket 1905. To generate a diff of this commit: cvs rdiff -u -r1.1.2.53 -r1.1.2.54 src/doc/CHANGES-5.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-5.3 diff -u src/doc/CHANGES-5.3:1.1.2.53 src/doc/CHANGES-5.3:1.1.2.54 --- src/doc/CHANGES-5.3:1.1.2.53 Wed May 14 05:15:06 2014 +++ src/doc/CHANGES-5.3 Wed May 14 05:24:46 2014 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-5.3,v 1.1.2.53 2014/05/14 05:15:06 msaitoh Exp $ +# $NetBSD: CHANGES-5.3,v 1.1.2.54 2014/05/14 05:24:46 msaitoh Exp $ A complete list of changes from the NetBSD 5.2 release to the NetBSD 5.3 release: @@ -774,3 +774,19 @@ src/sys/compat/linux/common/linux_exec_e chs@/enami@ [maxv, ticket #1902] + +xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 +xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 +xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 +xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 +xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 +xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 + + Fix multiple vulnerabilities in libXfont: + - CVE-2014-0209: integer overflow of allocations in font metadata + file parsing + - CVE-2014-0210: unvalidated length fields when parsing xfs protocol + replies + - CVE-2014-0211: integer overflows calculating memory needs for xfs + replies + [spz, ticket #1905]
CVS commit: [netbsd-5-1] xsrc
Module Name:xsrc Committed By: msaitoh Date: Wed May 14 05:26:15 UTC 2014 Modified Files: xsrc/external/mit/libXfont/dist/src/fc [netbsd-5-1]: fsconvert.c fserve.c xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-5-1]: dirfile.c xsrc/xfree/xc/lib/font/fc [netbsd-5-1]: fsconvert.c fserve.c xsrc/xfree/xc/lib/font/fontfile [netbsd-5-1]: dirfile.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1905): src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch A specially-crafted binary could easily control a kernel array index. Add some checks to ensure that nothing will be read outside the allocated area. Rewrite the code so that we don't need to allocate the whole section. Spotted by several developers, patch from chs@/enami@ To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \ xsrc/external/mit/libXfont/dist/src/fc/fserve.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c cvs rdiff -u -r1.4 -r1.4.24.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \ xsrc/xfree/xc/lib/font/fc/fserve.c cvs rdiff -u -r1.4 -r1.4.12.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1.2.1 --- xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1 Thu Sep 17 03:33:15 2009 +++ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c Wed May 14 05:26:15 2014 @@ -120,6 +120,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp for (i = 0; i nprops; i++, dprop++, is_str++) { memcpy(local_off, off_adr, SIZEOF(fsPropOffset)); + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-name = MakeAtom(pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -127,10 +131,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp dprop-value = local_off.value.position; } else { *is_str = TRUE; + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-value = (INT32) MakeAtom(pdc[local_off.value.position], local_off.value.length, 1); if (dprop-value == BAD_RESOURCE) { + bail: free (pfi-props); pfi-nprops = 0; pfi-props = 0; @@ -714,7 +723,12 @@ fs_alloc_glyphs (FontPtr pFont, int size FSGlyphPtr glyphs; FSFontPtr fsfont = (FSFontPtr) pFont-fontPrivate; -glyphs = malloc (sizeof (FSGlyphRec) + size); +if (size (INT_MAX - sizeof (FSGlyphRec))) + glyphs = malloc (sizeof (FSGlyphRec) + size); +else +glyphs = NULL; +if (glyphs == NULL) +return NULL; glyphs-next = fsfont-glyphs; fsfont-glyphs = glyphs; return (pointer) (glyphs + 1); Index: xsrc/external/mit/libXfont/dist/src/fc/fserve.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1.2.1 --- xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1 Thu Sep 17 03:33:15 2009 +++ xsrc/external/mit/libXfont/dist/src/fc/fserve.c Wed May 14 05:26:15 2014 @@ -73,6 +73,7 @@ in this Software without prior written a #include fservestr.h #include X11/fonts/fontutil.h #include errno.h +#includelimits.h #include time.h #define Time_t time_t @@ -94,6 +95,15 @@ in this Software without prior written a (pci)-descent || \ (pci)-characterWidth) +/* + * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words, + * so this converts for doing size comparisons. + */ +#define LENGTHOF(r)(SIZEOF(r) 2) + +/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ +#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) 2) + extern void ErrorF(const char *f, ...); static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); @@ -209,9 +219,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGeneri rep-sequenceNumber, conn-reqbuffer[i].opcode); } + +#define _fs_reply_failed(rep, name, op) do {\ +if (rep) { \ +if (rep-type == FS_Error) \ +fprintf (stderr, Error: %d Request: %s\n, \ + ((fsError *)rep)-request, #name); \ +else\ +fprintf (stderr, Bad Length for %s Reply: %d %s %d\n, \ +
CVS commit: [netbsd-5-1] src/doc
Module Name:src Committed By: msaitoh Date: Wed May 14 05:26:31 UTC 2014 Modified Files: src/doc [netbsd-5-1]: CHANGES-5.1.5 Log Message: Ticket 1905. To generate a diff of this commit: cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-5.1.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-5.1.5 diff -u src/doc/CHANGES-5.1.5:1.1.2.4 src/doc/CHANGES-5.1.5:1.1.2.5 --- src/doc/CHANGES-5.1.5:1.1.2.4 Wed May 14 05:18:26 2014 +++ src/doc/CHANGES-5.1.5 Wed May 14 05:26:31 2014 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-5.1.5,v 1.1.2.4 2014/05/14 05:18:26 msaitoh Exp $ +# $NetBSD: CHANGES-5.1.5,v 1.1.2.5 2014/05/14 05:26:31 msaitoh Exp $ A complete list of changes from the NetBSD 5.1.4 release to the NetBSD 5.1.5 release: @@ -58,3 +58,19 @@ src/sys/compat/linux/common/linux_exec_e chs@/enami@ [maxv, ticket #1902] + +xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 +xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 +xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 +xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 +xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 +xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 + + Fix multiple vulnerabilities in libXfont: + - CVE-2014-0209: integer overflow of allocations in font metadata + file parsing + - CVE-2014-0210: unvalidated length fields when parsing xfs protocol + replies + - CVE-2014-0211: integer overflows calculating memory needs for xfs + replies + [spz, ticket #1905]
CVS commit: [netbsd-5-2] xsrc
Module Name:xsrc Committed By: msaitoh Date: Wed May 14 05:27:33 UTC 2014 Modified Files: xsrc/external/mit/libXfont/dist/src/fc [netbsd-5-2]: fsconvert.c fserve.c xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-5-2]: dirfile.c xsrc/xfree/xc/lib/font/fc [netbsd-5-2]: fsconvert.c fserve.c xsrc/xfree/xc/lib/font/fontfile [netbsd-5-2]: dirfile.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1905): src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch A specially-crafted binary could easily control a kernel array index. Add some checks to ensure that nothing will be read outside the allocated area. Rewrite the code so that we don't need to allocate the whole section. Spotted by several developers, patch from chs@/enami@ To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \ xsrc/external/mit/libXfont/dist/src/fc/fserve.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \ xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c cvs rdiff -u -r1.4 -r1.4.30.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \ xsrc/xfree/xc/lib/font/fc/fserve.c cvs rdiff -u -r1.4 -r1.4.18.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1.4.1 --- xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1 Thu Sep 17 03:33:15 2009 +++ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c Wed May 14 05:27:33 2014 @@ -120,6 +120,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp for (i = 0; i nprops; i++, dprop++, is_str++) { memcpy(local_off, off_adr, SIZEOF(fsPropOffset)); + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-name = MakeAtom(pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -127,10 +131,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp dprop-value = local_off.value.position; } else { *is_str = TRUE; + if ((local_off.name.position = pi-data_len) || + (local_off.name.length + (pi-data_len - local_off.name.position))) + goto bail; dprop-value = (INT32) MakeAtom(pdc[local_off.value.position], local_off.value.length, 1); if (dprop-value == BAD_RESOURCE) { + bail: free (pfi-props); pfi-nprops = 0; pfi-props = 0; @@ -714,7 +723,12 @@ fs_alloc_glyphs (FontPtr pFont, int size FSGlyphPtr glyphs; FSFontPtr fsfont = (FSFontPtr) pFont-fontPrivate; -glyphs = malloc (sizeof (FSGlyphRec) + size); +if (size (INT_MAX - sizeof (FSGlyphRec))) + glyphs = malloc (sizeof (FSGlyphRec) + size); +else +glyphs = NULL; +if (glyphs == NULL) +return NULL; glyphs-next = fsfont-glyphs; fsfont-glyphs = glyphs; return (pointer) (glyphs + 1); Index: xsrc/external/mit/libXfont/dist/src/fc/fserve.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1.4.1 --- xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1 Thu Sep 17 03:33:15 2009 +++ xsrc/external/mit/libXfont/dist/src/fc/fserve.c Wed May 14 05:27:33 2014 @@ -73,6 +73,7 @@ in this Software without prior written a #include fservestr.h #include X11/fonts/fontutil.h #include errno.h +#includelimits.h #include time.h #define Time_t time_t @@ -94,6 +95,15 @@ in this Software without prior written a (pci)-descent || \ (pci)-characterWidth) +/* + * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words, + * so this converts for doing size comparisons. + */ +#define LENGTHOF(r)(SIZEOF(r) 2) + +/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ +#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) 2) + extern void ErrorF(const char *f, ...); static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); @@ -209,9 +219,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGeneri rep-sequenceNumber, conn-reqbuffer[i].opcode); } + +#define _fs_reply_failed(rep, name, op) do {\ +if (rep) { \ +if (rep-type == FS_Error) \ +fprintf (stderr, Error: %d Request: %s\n, \ + ((fsError *)rep)-request, #name); \ +else\ +fprintf (stderr, Bad Length for %s Reply: %d %s %d\n, \ +
CVS commit: [netbsd-5-2] src/doc
Module Name:src Committed By: msaitoh Date: Wed May 14 05:27:47 UTC 2014 Modified Files: src/doc [netbsd-5-2]: CHANGES-5.2.3 Log Message: Ticket 1905. To generate a diff of this commit: cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-5.2.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-5.2.3 diff -u src/doc/CHANGES-5.2.3:1.1.2.4 src/doc/CHANGES-5.2.3:1.1.2.5 --- src/doc/CHANGES-5.2.3:1.1.2.4 Wed May 14 05:16:02 2014 +++ src/doc/CHANGES-5.2.3 Wed May 14 05:27:47 2014 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-5.2.3,v 1.1.2.4 2014/05/14 05:16:02 msaitoh Exp $ +# $NetBSD: CHANGES-5.2.3,v 1.1.2.5 2014/05/14 05:27:47 msaitoh Exp $ A complete list of changes from the NetBSD 5.2.2 release to the NetBSD 5.2.3 release: @@ -58,3 +58,19 @@ src/sys/compat/linux/common/linux_exec_e chs@/enami@ [maxv, ticket #1902] + +xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 +xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 +xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 +xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 +xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 +xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 + + Fix multiple vulnerabilities in libXfont: + - CVE-2014-0209: integer overflow of allocations in font metadata + file parsing + - CVE-2014-0210: unvalidated length fields when parsing xfs protocol + replies + - CVE-2014-0211: integer overflows calculating memory needs for xfs + replies + [spz, ticket #1905]